You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: articles/security/store-tokens.md
+13-11
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,6 @@
1
1
---
2
-
description: Explains how to securely store tokens used in token-based authentication.
2
+
description: In this guide we outline how to store tokens used in token-based authentication.
3
+
toc: true
3
4
topics:
4
5
- security
5
6
- security-bulletins
@@ -13,21 +14,21 @@ useCase:
13
14
14
15
# Where to Store Tokens
15
16
16
-
This document explains how to securely store [tokens](/tokens) used in token-based authentication.
17
+
Not sure where to store [tokens](/tokens)? This guide outlines how to securely store tokens used in token-based authentication.
17
18
18
-
## Do not store tokens in the browser
19
+
## Don't store tokens in local storage
19
20
20
-
You should not store tokens in the browser's local storage or session storage. Data stored in the browser is vulnerable to [cross-site scripting](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)) and malicious parties can potentially steal or alter that data.
21
+
Browser local storage (or session storage) is not secure. Any data stored there may be vulnerable to [cross-site scripting](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)). If an attacker steals a token, they can gain access to and make requests to your API. Treat tokens like credit card numbers or passwords: don’t store them in local storage.
21
22
22
-
## Store tokens when a backend is present
23
+
## If a backend is present
23
24
24
-
If your application has a backend server at all, then you should use the [Authorization Code flow](/application-auth/current/server-side-web) for authentication. Native applications should use the [Authorization Code flow with Proof Key for Code Exchange](/application-auth/current/mobile-desktop).
25
+
If your application has a backend server at all, then tokens should be handled server-side using the [Authorization Code flow](/application-auth/current/server-side-web), [Authorization Code flow with Proof Key for Code Exchange](/application-auth/current/mobile-desktop), or hybrid flow.
25
26
26
-
## Store tokens without a backend
27
+
## Single page applications
27
28
28
29
If you have a single page application (SPA) with no corresponding backend server, your SPA should request new tokens on page load and store them in memory without any persistence. To make API calls, your SPA would then use the in-memory copy of the token.
29
30
30
-
## Using Cookies
31
+
## Using cookies
31
32
32
33
You can also use cookies to store the JWT. The exact way to set a cookie depends on the client side language you are using.
33
34
@@ -37,8 +38,9 @@ There are different options to control the lifetime of a cookie:
37
38
* Implement a server side check (typically done for you by the web framework in use), and you could implement expiration or sliding window expiration.
38
39
* Cookies can be persistent (not destroyed after the browser is closed) with an expiration.
39
40
* Cookies can be read by both the JavaScript and the server side code or only server side if the `httpOnly` flag is set.
41
+
* You can set the `secure=true` flag so cookies can only be set over an encrypted connection.
40
42
41
-
## Understanding Sessions and Cookies
43
+
###Understanding sessions and cookies
42
44
43
45
:::warning
44
46
Please be sure to refer to the [Lock API documentation](/libraries/lock/v10/api) for the most up-to-date code snippets.
@@ -48,10 +50,10 @@ Please be sure to refer to the [Lock API documentation](/libraries/lock/v10/api)
48
50
49
51
This video will show you how to handle session data when building a web app. It will help you understand how your application uses cookies and sessions to manage the state of an authenticated user. This video example uses Node.js with Passport, but the techniques apply to any traditional server-based web application.
50
52
51
-
#### Cookie Disadvantages
53
+
###Disadvantages of cookies
52
54
53
55
* The max size of a cookie is only 4kb so that may be problematic if you have many claims attached to the token.
54
-
* Cookies can be vulnerable to cross-site request forgery (CSRF or XSRF) attacks. This type of attack occurs when a malicious web site causes a user’s web browser to perform an unwanted action on a trusted site where the user is currently authenticated. This is an exploit of how the browser handles cookies. Using a web app framework’s CSRF protection makes cookies a secure option for storing a JWT. CSRF can also be partially prevented by checking the HTTP `Referer` and `Origin` header.
56
+
* Cookies can be vulnerable to cross-site request forgery (CSRF or XSRF) attacks. Using a web app framework’s CSRF protection makes cookies a secure option for storing a JWT. CSRF can also be partially prevented by checking the HTTP `Referer` and `Origin` header. You can also set the `SameSite=strict` cookie flag to prevent CSRF attacks.
55
57
* Can be difficult to implement if the application requires cross-domain access. Cookies have additional properties (Domain/Path) that can be modified to allow you to specify where the cookie is allowed to be sent.
0 commit comments